Worm???

Trishk, was it the email that is described here? http://nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out/

I suggest that you delete it from your Spam Box and make sure it has been deleted from Deleted Messages as well. If you cannot get online, you will need to use a clean computer to download some tools to a USB stick or CD. Will you be able to do that?

 

.

Hi ,

Yes thats the one and I have now deleted it from my spam and email account.  I was just keeping it in case the name was needed to get rid of the worm.

I was told I need to call a Dell technician to get rid of this worm, but what else can you suggest. 

 

Thanks

trish

 

It's up to you. We can try to clean it if you would like to try that first.

If so,You will need the clean computer to access the forum and to transfer tools and logs. You can use a CD or USB flashdrive.

In order to run Malwarebytes Anti-Malware, using the clean computer, download and, rename the program installer "mbam-setup.exe" file to something else like "trishk.exe".  Copy the installer file and the update file to your CD or flash drive.

Transfer the files to the infected computer.  (You would use the update link mentioned below to manually update.) Install the "trishk.exe" file, then run the update so that you will have the current definitions. After that, run a full system scan and select to have the program REMOVE whatever it finds.

  Please download Malwarebytes Anti-Malware and save it to the CD or USB flash drive.
alternate download link 2

• * NOTE: You must rename it before moving it to the infected computer.

After you have renamed it and transferred the program to the infected computer, double-click on trishk.exe to install the application.

• When the installation begins, follow the prompts and do not make any changes to default settings.
• Then click Finish.

Manually download updates from here
Update through MBAM's interface from a clean computer; copy the definitions (rules.ref) located in
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
Anti-Malware from that system to your usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top.

It may take some time to complete so please be patient.

• When the scan is finished, a message box will say "The scan completed successfully.

Click 'Show Results' to display all objects found".

• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Transfer the log to the clean computer via CD or flashdrive so you can copy and paste the contents of that report along into your reply here and exit MBAM.

Note:-- If MBAM encounters a file that is difficult to remove,
you may be asked to reboot your computer so it can proceed with the disinfection process.
Regardless if prompted to restart the computer or not, please do so immediately.
Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine.
If you're using other security programs that detect registry changes (like Spybot's Teatimer),
they may interfere with the fix or alert you after scanning with MBAM.
Please disable such programs until disinfection is complete or permit them to allow the changes.

**If you need to re-install MBAM but encounter issue in re-installing, try using the MBAM Cleanup Utility by downloading it from HERE

 

Hi,

Wow alot of info for someone not very literate about computers but I'll give it a go.  I'm going to print your instructions and make sure I understand

it before actually doing what you've said as I don't want to screw up my laptop anymore than it already is.  May take me a day or so, but I will be back

in touch with any questions and or progress.

 

Thanks so much for your time and help

Trish

 

Yes, please print the instructions and read them over before you start. If you have any questions ask before you begin.

You cannot use the computer in its infected state, so being concerned with messing it up is not a issue at this point. Malwarebytes' Anti-malware is safe to use. The biggest problem is getting it to run on the infected machine. The worst that can happen, and what Dell paid support may tell you to do is to reformat/reinstall the operating system.  That is more trouble than what you will be doing here, so we'll try this first before you go there.

Hi,

there are several webb sites for Malwarebytes. one is the malware...org, another says its the latest and is at softlate.com.  Which one should

I use?

Trish

Hi again,

I see now that I have to access Malwarebytes via your email and have done so.  It puts me into a web site  Major Geeks online store where I

have to buy aconsumer license and option for extended license for total of about £19.  Is this correct?  There is also something about a license

for 24$. on link 2

 

trish

All the tools that we use here are FREE versions. You do not need to  purchase anything unless you want an upgraded version with realtime scanning and automatic updating. You do not need a paid version right now, and have the option of upgrading later if you choose to do so.

If you click on the first link that I posted above, it takes you to a download hosting site that gives you a choice to Download or Purchase. Click on Download for the free version.

If you click on the second link, it takes you to Majorgeeks. That one gives you the option to Download (the free version) from one of download mirrors or purchase a license for the upgraded version.

 

* The email notifications are sent as simply a reminder that I have replied so you can return to the  forum. The emails may not include all the information that you need, so it is best to come to the forum to read the entire post, rather than trying to work from the emails..

The first link is for BestTechie which redirects to here: http://fileforum.betanews.com/detail/Malwarebytes-AntiMalware/1186760019/1

If you are being redirected to softlate.com, on your "clean" computer, we might need to check that one for malware as well.

When I click on the first site you gave me, it sends me to Major Geeks as does the second site.  I'll check it out again and see if I can find the

free download on Major Geeks.

 

Trish

Hi,

I was able to download the malware from the Geek site,but windows won't let it copy, send to or transfer to the CD disc.  I am on an asus EEE900 with XP and have connected portable" CD player as this little Asus has no CD drive.  What now??

 

trish

I'm confused about how you are doing this. You downloaded and saved the MBAM setup to the CD. You inserted the CD into the infected machine, and it won't run?

Are you able to boot the infected machine into Safemode and do it that way?

Hi,

Sorry if I'm confusing you.  I downloaded the program to the Asus I am using.  I have a separate cd drive attached to the Asus, but am unalbe

to transfer the downloaded malware from the Asus to the CD.  An error message comes up saying Windows will not do it.  I am going to try to

put the downloaded malware program on a Flash drive and if that works, then will proceded with the rest of your instructions.

 

trish

Hi,

This is what happened.  I was able to install the Malware removal onto the Dell and run the scan.  It picked up one Adware bug

and I removed it according to the Malware removal instructions.  .I ran the scan again and it came up clean, so

I restarted the computer as you said and it came up fine no problems. and I thought that it was fixed.  I tried to put the landline internet

plug in and it didn't work.

  I tried to open the music icon and it all crashed again. I was able to open it in safe mode, and start the scan again, but it crashed

during the scan. I opened it again in safe mode,  decided to try the full scan in case the malware was deeper than the quick scan

would see it, but it crashed after a few minutes during the scan. 

I'm finished for the night  with this as very frustrated, and tired but if you have any other suggestions.....

 

trish

Trish, it seems that you are doing things that are not included in the steps that I posted.By doing things out of sequence, and attempting to run scans on your own, it may be making things worse as the malware has time to activate again.

You tried to run Malwarebytes twice rather than once, and use the landline to connect to the internet. I would have advised against that until I was sure we had killed the downloader. I'm not sure why you tried to open a "music icon". 

Let's see if we can disable the malware long enough to run Malwarebytes. You will need to download another tool called RKill to your CD, and transfer that to the infected computer. Please print these instructions so you can follow them carefully.

Reboot your computer into Safe Mode.. When the computer reboots into Safe Mode, make sure you login with the username you normally use. When you are at your Windows desktop, please continue with the rest of the steps.
In the event that the infection has changed your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software we should fix this. Please start Internet Explorer. you will be offline in Safemode so it will open but you will not see your homepage when the program is open, Click on the Tools menu and then select Internet Options.
When at the Internet Options screen click on the Connections tab.

When you see the Connections tab, click on the Lan Settings button. You will now be at the Local Area Network (LAN) settings
Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Next, press the OK button to close the Internet Options screen. Now that you have disabled the proxy server that may help with your connection problem.

These things are never a one-shot fix, so patience is needed. :emotion-15:

Please download Rkill by Grinler to your CD so you can transfer it to the desktop of the infected computer.When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.

. ** Do not download any other programs or other scans advertised on that page.

Once it is downloaded to your CD, transfer RKill to the other computer still in Safemode. When it is on the desktop of the infected computer, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with your malware and other Rogue programs. If using Vista or Windows 7, right-click on it and Run As Administrator.Please be patient while the program looks for various malware programs and ends them.

• When it has finished, the black window will automatically close and you can continue with the next step.

  If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it. If you run into these infections' warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the infection . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the instructions. If you continue having problems running RKill, you can download other renamed versions of RKill from the download page. If you reboot, the malware will activate, so you will need to run RKill again.

  Next, you will run Malwarebytes. Since the infected computer is not connected to the internet, if you did not update Malwarebytes before, you can download the updates from here  to the CD, transfer them and just double-click on mbam-rules.exe to install.

  • Alternatively, if your clean computer already has Malwarebytes installed on it you can update through MBAM's interface on  your clean computer, and copy the definitions (rules.ref) located in
    C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
    Anti-Malware from that system to your CD and then copy it to the infected machine to the same location on the infected one:
    
  C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'

  The settings will be the same as before - to review:

•  On the Scanner tab:

  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top.
  It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully.

Click 'Show Results' to display all objects found".

• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. If MBAM wants to reboot normally, let it do so.
•  Now....see if you can get online with the infected computer. If so, copy and paste the contents of that report into your next reply and exit MBAM. If not, we'll try a bigger gun.